New VMware Update Addresses Critical RCE Vulnerability in vCenter Server
VMware has rolled out software updates to fix a previously patched security issue in vCenter Server, which could potentially result in remote code execution.
The vulnerability, identified as CVE-2024-38812 (CVSS score: 9.8), pertains to a heap-overflow flaw in the DCE/RPC protocol’s implementation.
“An adversary with network connectivity to vCenter Server could exploit this weakness by transmitting a specially crafted network packet that could allow for remote code execution,” stated the virtualization services provider owned by Broadcom.
The security flaw was initially disclosed by zbl and srs from team TZL during the Matrix Cup cybersecurity contest held in China earlier this year.
“vCenter patches released on September 17, 2024, were found to be inadequate in addressing CVE-2024-38812,” the company remarked.
Fixes for this vulnerability have been included in the following vCenter Server versions –
- 8.0 U3d
- 8.0 U2e, and
- 7.0 U3t
An asynchronous patch is also available for VMware Cloud Foundation versions 5.x, 5.1.x, and 4.x. No mitigation strategies are currently known.
Even though there is no indication of the vulnerability being exploited in the wild, users are recommended to update to the newest versions as a precaution against potential risks.
In July 2021, China enacted a regulation that mandates researchers within the country to promptly report vulnerabilities they discover to both the government and the product’s manufacturer, sparking concerns that it might enable nation-state actors to accumulate zero-days and weaponize them in their favor.
About Author
